CVE-2025-66312 is a stored Cross-Site Scripting (XSS) vulnerability affecting the Grav CMS admin plugin prior to version 1.11.0-beta.1. The vulnerability resides in the /admin/accounts/groups/Grupo endpoint, specifically in the handling of the data[readableName] parameter. Improper neutralization of input allows attackers with authenticated access to inject malicious JavaScript code that is stored persistently on the server. When other users access the affected page, the injected script executes in their browsers within the context of the Grav admin interface. This can lead to session hijacking, privilege escalation, or unauthorized actions performed on behalf of the victim. The vulnerability requires authentication and user interaction to trigger, which somewhat limits its exploitation scope. The CVSS 4.0 vector indicates network attack vector, low attack complexity, no privileges required for initial access but privileges required for exploitation, user interaction required, and low impact on confidentiality and integrity but high scope and availability impact. No public exploits have been reported yet, but the risk remains significant for organizations running vulnerable Grav versions, especially those exposing the admin interface to the internet. The issue was resolved in Grav version 1.11.0-beta.1 by properly sanitizing the input to prevent script injection.

For European organizations, this vulnerability poses a risk primarily to the confidentiality and integrity of administrative sessions and data within Grav CMS environments. Successful exploitation can lead to session hijacking, unauthorized administrative actions, and potential defacement or data manipulation of websites managed via Grav. Organizations relying on Grav for critical web content management, especially those with publicly accessible admin interfaces, face increased risk of targeted attacks. The vulnerability could also be leveraged as a foothold for further lateral movement within networks if attackers gain administrative privileges. Given the medium severity and requirement for authentication, the impact is moderate but could escalate if combined with other vulnerabilities or weak credential management. Disruption of availability is less likely but possible if malicious scripts cause application errors or crashes. The risk is heightened for sectors with high-value web assets such as government, finance, and media within Europe.

European organizations should immediately upgrade Grav CMS to version 1.11.0-beta.1 or later to apply the official fix. Until patching is possible, restrict access to the /admin interface using network-level controls such as VPNs, IP whitelisting, or web application firewalls (WAFs) with rules to detect and block suspicious input patterns targeting the data[readableName] parameter. Implement strict input validation and output encoding on any custom plugins or extensions interacting with Grav admin endpoints. Enforce strong authentication mechanisms, including multi-factor authentication (MFA), to reduce the risk of unauthorized access. Regularly audit user accounts and permissions to minimize the number of users with administrative privileges. Monitor web server and application logs for unusual activity related to the /admin/accounts/groups/Grupo endpoint. Educate administrators about the risks of XSS and safe browsing practices within the admin interface. Finally, consider deploying Content Security Policy (CSP) headers to limit the impact of any injected scripts.